Post on 12-Jun-2020
Let’s Make College Happen
Building a More Secure Cloud Architecture
Jerry ArcherSVP and CSO
Security Guiding Principles in the Cloud
Secure PerimeterMicro-segmentation -- isolating applications and
data with a hardened configuration immune to
attack
Strong abstraction layer from hardware and VM
environment
Restricted visibility into computing environment
Discrete and limited perimeter which can be
subjected to effective monitoring
Continuous Encryption
Encryption of data at rest
Encryption of data in transit
Secure key management-- – leveraging PKI for
transaction functions
Continuous MonitoringReachable attachment points for monitoring
capabilities through comprehensive APIs
Robust monitoring data availability
Easy integration of third party monitoring
capabilities
Resilient Operations
Capable of withstanding attack
Minimal degradation of performance as a result
of environmental failures
Continuous function in the presence of a
ongoing attack
Highly Granular Access Control
Capable highly granular resource allocation
Strong cryptographic identity management
Ubiquitous – users, administrators, applications,
data
Governance, Risk Management, Compliance
Visibility of configurations Readily identify gaps or other weaknesses
Auditable evidence
Ready Incident Response
Broad regulatory and compliance certifications
Hybrid automation and manual response
• VPC is a logically isolated section of AWS cloud using SDNfunctionality
• Complete control over the virtual networking environment• IP address ranges• Creation of subnets, route tables and network gateways.• Supporting both IPv4 and IPv6
• Custom Sallie Mae AWS network configuration (template based)• Front office public-facing subnet for webservers• Backend systems private-facing subnets with no Internet access• Multiple layers of security, including security groups and network
access control lists limiting access• Virtual Private Network (VPN) connection between corporate
datacenter and Sallie Mae VPCs
Basic AWS Building Block: Virtual Private Cloud (VPC)
• Pre-authenticated• Eliminates major vulnerability in TCP/IP• Authentication prior to connection
• Context-aware (granular access control)• Secure access to enterprise applications
• Isolating communications to end-user devices• Enables rapid identification and prevention of network-based
cyberattacks such as denial of service, connection hijacking, and credential theft. Significant improvement in vulnerability management
• Leverages industry standard security capabilities (SAML, PKI, and mutually authenticated TLS)
• SDP Controller functions as a trust broker between the SDP Client and back-end security controls such as Issuing Certificate Authority (CA) and identity provider (SAML)
• An open standard and controller code supported by Cloud Security Alliance (CSA)
Software Defined Perimeter (SDP)
Implementation of the Virtual Enclave (VE) architecture utilizes micro-segmentation to provide customizable, strong logical isolation of Sallie Mae systems and services using software defined security techniques. Meeting all of the essential elements of security in the cloud.
Benefits of this implementation:
• Leverages basic building block of AWS Virtual Private Clouds (VPCs)
• Granular inter/intra VE visibility/access
• Leverage of AWS native encryption within the VE
• Limit client device access (granular access control)
• Enhanced perimeter with Software Defined Perimeter (SDP)
• “Invisibility” of the VE
Sallie Mae Virtual Enclave: Leveraging AWS VPC to Achieve Robust Cloud Security
Perimeter Security
Ready Incident Response
Resilient Operations
Continuous Encryption Log Immutability
Highly Granular Access Control
Governance, Risk and
Compliance
Strong User Authentication
Active DirectoryFederation
WAF, F/W, IPS, IDS, DDoS
ForensicsPreservation
ThreatMonitoring /
Hunting
Machine Learning, UBA
Continuous Compliance Monitoring
Integrated Cloud Security and Architecture with SDPIAM Dynamic
Access Leases
Region Lock
Tamper Protection
Auto-Remediation Non
Compliance
ServiceNow Bastian
Host DMZ
24/7 SOC
Advanced IAAS Endpoint
Protection
Secure Web Gateway (Egress) –Malware, Content,
DLP inspection
Centralized Egress
Endpoint